Reducing Your Risk of a Data Breach
Almost daily, news breaks of another corporate data breach that puts millions of customer’s sensitive data in the hands of hackers. It’s occurred within the largest, most secure segments of the corporate elite. Businesses that collect personal information from consumers are required to have a security plan to protect the confidentiality and integrity of the information. This report provides information for businesses to consider, and resources to help, in designing and implementing a data security plan.
The Safeguards Rule
When consumers open an account, register to receive information, or purchase a product from a business, it is very likely that they will entrust their personal information as part of the process. If this information is compromised, the consequences can be far-reaching: consumers can be at risk of identity theft, or they can discontinue dealing with the business.
A business that collects personal information from consumers should have a security plan to protect the confidentiality and integrity of the information. For financial institutions that collect personal information from their customers, such as their names, addresses and phone numbers; bank and credit card account numbers; income and credit histories; and Social Security numbers, the Gramm-Leach-Bliley (GLB) Act requires that they ensure the security and confidentiality of the information. As part of its implementation of the GLB Act, the Federal Trade Commission (FTC) has issued the Safeguards Rule.
The Safeguards Rule applies to businesses, regardless of size, that are "significantly engaged" in providing financial products or services to consumers. This includes check-cashing businesses, data processors, mortgage brokers, non-bank lenders, personal property or real estate appraisers, professional tax prepares, courier services, and retailers that issue credit cards to consumers. The Safeguards Rule also applies to financial companies, like credit reporting agencies and ATM operators, that receive information from other financial institutions about their customers. In addition to developing their own safeguards, businesses are responsible for taking steps to ensure that their affiliates and service providers safeguard customer information in their care.
The threats to the security of a business’ information are varied – from computer hackers to disgruntled employees to simple carelessness. While protecting computer systems is an important aspect of information security, it is only part of the process. This report provides information for a business to consider, and resources to help, in designing and implementing an information security plan.
Sound information security for a business means regular risk assessment, effective coordination and oversight, and prompt response to new developments. Basic steps in information security planning include:
- Identifying internal and external risks to the security, confidentiality, and integrity of customers’ personal information.
- Designing and implementing safeguards to control the risks.
- Periodically monitoring and testing the safeguards to be sure they are working effectively.
- Adjusting the security plan according to the results of testing, changes in operations, or other circumstances that might impact information security.
- Overseeing the information handling practices of service providers and business partners who have access to the personal information. If access to records or the computer network is provided to another organization, they should have good security programs, as well.
When setting up a security program, the business should consider all the relevant areas of its operations, including employee management and training; information systems, including network and software design, and information processing, storage, transmission and disposal; and contingencies, including preventing, detecting and responding to a system failure. Although the security planning process is universal, there’s no “one size fits all” security plan. Every business faces its own special risks. The administrative, technical, and physical safeguards that are appropriate really depend on the size and complexity of the business, the nature and scope of the business, and the sensitivity of the consumer information it keeps.
Risk Assessment and Controls
Although computer systems are not a business’ only responsibility related to information security, they are an important one. With new vulnerabilities announced almost weekly, many businesses may feel overwhelmed trying to keep current. Guidance is available from leading security professionals who put together consensus lists of vulnerabilities and defenses so that every organization, regardless of its resources or expertise in information security, can take basic steps to reduce its risks. The lists identify the commonly exploited vulnerabilities that pose the greatest risk of harm to information systems. A business can use these lists to help prioritize its efforts so that the most serious threats are tackled first.
When designing and implementing a safeguards program, the business should not forget to oversee service providers and business partners that have access to its computer network or consumers’ personal information. The business needs to check periodically whether service providers and business partners monitor and defend against common vulnerabilities as part of their regular safeguards program.
Vulnerabilities of the Internet
Four years ago, the SANS Institute and the Federal Bureau of Investigation (FBI) released a document summarizing the Top-10 most critical internet security vulnerabilities. Thousands of organizations have used that list, and the expanded Top-20 lists that followed, to prioritize their efforts so they could close the most dangerous vulnerabilities first.
This SANS Top-20 is actually two Top-10 lists: the ten most commonly exploited vulnerable services in Windows and the ten most commonly exploited elements in UNIX and Linux environments. Although there are thousands of security incidents each year affecting these operating systems, the overwhelming majority of successful attacks target one or more of these twenty vulnerable services.
The Top-20 is a consensus list of vulnerabilities that require immediate remediation. It is the result of a process that brought together dozens of leading security experts. They come from the most security-conscious government agencies in the United Kingdom, United States, and Singapore; the leading security software vendors and consulting firms; the top university-based security programs; many other user organizations; and the SANS Institute.
The SANS Top-20 is a living document. It includes step-by-step instructions and pointers to additional information useful for correcting the security flaws. The list and instructions are updated as more critical threats and more current or convenient methods of protection are identified. The site also has links to scanning tools and services at www.sans.org/top20/tools.pdf to help a business monitor its own network vulnerabilities.
Data Breach Vulnerabilities
Produced by the Open Web Application Security Project (OWASP), The OWASP Top Ten describes common vulnerabilities for web applications and databases and the most effective ways to address them. Attacks on web applications often pass undetected through firewalls and other network defense systems, putting at risk the sensitive information that these applications access. Application vulnerabilities are often neglected, but they are as important to deal with as network issues.
When a business implements safeguards, it should consider all areas of its operation, including three areas that are particularly important to information security: employee management and training; information systems; and managing system failures. The business should consider implementing the following practices in these areas.
Employee Management and Training
The success or failure of your information security plan depends largely on the employees who implement it. You may want to check references prior to hiring employees who will have access to customer information.
Ask every new employee to sign an agreement to follow your organization's confidentiality and security standards for handling customer information.
Train employees to take basic steps to maintain the security, confidentiality, and integrity of customer information, such as:
- Locking rooms and file cabinets where paper records are kept.
- Using password-activated screensavers.
- Using strong passwords (at least eight characters long). .
- Changing passwords periodically, and not posting passwords near employees' computers.
- encrypting sensitive customer information when it is transmitted electronically over networks or stored online.
- Referring calls or other requests for customer information to designated individuals who have had safeguards training. .
- Recognizing any fraudulent attempt to obtain customer information and reporting it to the appropriate law enforcement agencies.
Instruct and regularly remind all employees of your organization's policy — and the legal requirement — to keep customer information secure and confidential. You may want to provide employees with a detailed description of the kind of customer information you handle (name, address, account number, and any other relevant information) and post reminders about their responsibility for security in areas where such information is stored - in file rooms, for example.
Limit access to customer information to employees who have a business reason for seeing it. For example, grant access to customer information files to employees who respond to customer inquiries, but only to the extent they need it to do their job.
Impose disciplinary measures for any breaches.Information Systems
Information systems include network and software design, and information processing, storage, transmission, retrieval, and disposal. The following are some suggestions on how to maintain security throughout the life cycle of customer information - that is, from data entry to data disposal.Store records in a secure area. Make sure only authorized employees have access to the area.
- Store paper records in a room, cabinet, or other container that is locked when unattended.
- Ensure that storage areas are protected against destruction or potential damage from physical hazards, like fire or floods.
- Store electronic customer information on a secure server that is accessible only with a password - or has other security protections - and is kept in a physically-secure area.
- Do not store sensitive customer data on a machine with an Internet connection.
- Maintain secure backup media and keep archived data secure, for example, by storing off-line or in a physically-secure area.
Provide for secure data transmission
- If you collect credit card information or other sensitive financial data, use a Secure Sockets Layer (SSL) or other secure connection so that the information is encrypted in transit
- If you collect information directly from consumers, make secure transmission automatic
- Caution consumers against transmitting sensitive data, like account numbers, via electronic mail
- If you must transmit sensitive data by electronic mail, ensure that such messages are password protected so that only authorized employees have access
Dispose of customer information in a secure manner.
- Hire or designate a records retention manager to supervise the disposal of records containing nonpublic personal information.
- Shred customer information recorded on paper.
- Erase all data when disposing of computers, diskettes, magnetic tapes, hard drives, or any other electronic media that contain customer information.
- Effectively destroy the hardware.
- Promptly dispose of outdated customer information.
- Use appropriate oversight or audit procedures to detect the improper disclosure or theft of customer information. For example, supplement each of your customer lists with at least one entry (such as an account number or address) that you control, and monitor use of this entry to detect all unauthorized contacts or charges.
- Maintain a close inventory of your computers.
Managing System Failures
Effective security management includes the prevention, detection, and response to attacks, intrusions, or other system failures.Maintain up-to-date and appropriate programs and controls by:
- Following a written contingency plan to address any breaches of your physical, administrative, or technical safeguards.
- Checking with software vendors regularly to obtain and install patches that resolve software vulnerabilities.
- Using anti-virus software that updates automatically.
- Maintaining up-to-date firewalls, particularly if you use broadband Internet access or allow employees to connect to your network from home or other off-site locations.
- Providing central management of security tools for your employees and passing along updates about any security risks or breaches.
- Take steps to preserve the security, confidentiality, and integrity of customer information in the event of a computer or other technological failure. For example, back up all customer data regularly.
Maintain systems and procedures to ensure that access to nonpublic consumer information is granted only to legitimate and valid users. For example, use tools like passwords combined with personal identifiers to authenticate the identity of customers and others seeking to do business with the financial institution electronically.
Notify customers promptly if their nonpublic personal information is subject to loss, damage or unauthorized access.
Disposing of Consumer Report Information
In an effort to protect the privacy of consumer information and reduce the risk of fraud and identity theft, a new federal rule is requiring businesses to take appropriate measures to dispose of sensitive information derived from consumer reports.
Any business or individual who uses a consumer report for a business purpose is subject to the requirements of the Disposal Rule. The Rule requires the proper disposal of information in consumer reports and records to protect against “unauthorized access to or use of the information.”
According to the FTC, the standard for the proper disposal of information derived from a consumer report is flexible, and allows the organizations and individuals covered by the Rule to determine what measures are reasonable based on the sensitivity of the information, the costs and benefits of different disposal methods, and changes in technology.
As you begin to undertake the tasks above in an effort to secure your business from data breaches, remember to back up your important files to an encrypted, offsite, redundant storage facility. Taking on the task of getting your data secure can feel overwhelming, and it’s here where accomplishing small goals each day will pay off. While you’re thinking about protecting your data, remember to take time out and review your business policy with an agent. You’re going to find coverage that fits your business’ needs, and feel great knowing that you’re protected from whatever might come your way.